A high-severity safety flaw has been disclosed in ProjectDiscovery’s Nuclei, a widely-used open-source vulnerability scanner that, if efficiently exploited, might enable attackers to bypass signature checks and probably execute malicious code.
Tracked as CVE-2024-43405, it carries a CVSS rating of seven.4 out of a most of 10.0. It impacts all variations of Nuclei later than 3.0.0.
“The vulnerability stems from a discrepancy between how the signature verification course of and the YAML parser deal with newline characters, mixed with the best way a number of signatures are processed,” in response to a description of the vulnerability.
“This enables an attacker to inject malicious content material right into a template whereas sustaining a legitimate signature for the benign a part of the template.”
Nuclei is a vulnerability scanner designed to probe fashionable functions, infrastructure, cloud platforms, and networks to determine safety flaws. The scanning engine makes use of templates, that are nothing however YAML recordsdata, to ship particular requests with a purpose to decide the presence of a flaw.
Moreover, it could allow the execution of exterior code on the host working system utilizing the code protocol, thereby giving researchers extra flexibility over safety testing workflows.
Cloud safety agency Wiz, which found CVE-2024-43405, stated the vulnerability is rooted within the template signature verification course of, which is used to make sure the integrity of the templates made out there within the official templates repository.
Profitable exploitation of the vulnerability is a bypass of this important verification step, permitting attackers to craft malicious templates that may execute arbitrary code and entry delicate information from the host.
“Since this signature verification is presently the one technique out there for validating Nuclei templates, it represents a possible single level of failure,” Wiz researcher Man Goldenberg stated in a Friday evaluation.
At its core, the issue stems from the usage of common expressions (aka regex) for signature validation and the parsing battle arising on account of utilizing each regex and YAML parser, thus opening the door to a situation the place an attacker can introduce a “r” character such that it sidesteps the regex-based signature verification and will get interpreted as a line break by the YAML parser.
Put in a different way, these parsing inconsistencies may very well be chained to create a Nuclei template that makes use of “r” to incorporate a second “# digest:” line that evades the signature verification course of however will get parsed and executed by the YAML interpreter.
“Go’s regex-based signature verification treats r as a part of the identical line, whereas the YAML parser interprets it as a line break. This mismatch permits attackers to inject content material that bypasses verification however is executed by the YAML parser,” Goldenberg defined.
“The verification logic validates solely the primary # digest: line. Further # digest: strains are ignored throughout verification however stay within the content material to be parsed and executed by YAML.”
Moreover, the verification course of features a step to exclude the signature line from the template content material, however does so in a way that solely the primary line is validated, thus leaving the next strains unverified however executable.
Following accountable disclosure, it was addressed by ProjectDiscovery on September 4, 2024, with model 3.3.2. The present model of Nuclei is 3.3.7.
“Attackers might craft malicious templates containing manipulated # digest strains or rigorously positioned r line breaks to bypass Nuclei’s signature verification,” Goldenberg stated.
“An assault vector for this vulnerability arises when organizations run untrusted or community-contributed templates with out correct validation or isolation. An attacker might exploit this performance to inject malicious templates, resulting in arbitrary command execution, information exfiltration, or system compromise.”
